Zero-day vulnerabilities discovered: 11
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by the Fancy Bear APT.
This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.
Software: Oracle Java SE
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://blog.qualys.com/laws-of-vulnerabilities/2015/10/21/oracle-critical-patch-update-october-2015
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
Remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to unknown error in Libraries component. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015.
The group has been active since 2007 and typically targets military, government and media organizations.
Software: Oracle Java SE
Links:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7033/oracle-java-se-remote-code...
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.pcworld.com/article/2948592/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vu...
http://www.computerworld.com/article/2947216/security/cyberespionage-group-pawn-storm-uses-exploit-f...
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.tripwire.com/state-of-security/latest-security-news/java-zero-day-bug-192-other-security...
http://www.securityweek.com/oracle-patches-java-zero-day-exploited-pawn-storm-attackers
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://duo.com/blog/update-flash-and-java-emergency-zero-day-patches
Array indexing error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The exploit was released by security research group Packet Storm Security.
Software: Oracle Java SE
Known/fameous malware:
Styx exploit kit, previously known as Kein
Fiesta EK
Links:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26978
https://www.zscaler.com/blogs/research/exploring-java-vulnerability-cve-2013-2465-used-fiesta-ek
http://infosecdailydigest.com/2013/08/24/metasploit-module-demo-for-cve-2013-2465-java-storeimagearr...
https://sgros-students.blogspot.com/2014/01/java-cve-2013-2465-vulnerability-and.html
http://www.pcworld.com/article/2046821/cybercriminals-add-new-exploit-for-recently-patched-java-vuln...
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability allows a remote user to execute arbitrary code on the target system via MC Rat (Trojan). The vulnerability was found with the help of Malware Protection Cloud (MPC).
The vulnerability turned out to have been exploited in Sun Shop Campaign and related to breach at security firm Bit9.
Software: Oracle Java SE
Known/fameous malware:
Trojan.Naid, Trojan.Dropper (Symantec).
Links:
https://www.fireeye.com/blog/threat-research/2013/02/yaj0-yet-another-java-zero-day-2.html
https://twitter.com/jduck/status/307629902574800897
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml
https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493
https://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-inciden...
https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The CVE-2013-0422 exploit has also been identified as distributing GameHack and Banki malicious code. The vulnerability was used by Blackhole, Cool Exploit, and Nuclear exploit kits.
Software: Oracle Java SE
Known/fameous malware:
TROJ_REVETON.RJ
TROJ_REVETON.RG.
Links:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://www.kb.cert.org/vuls/id/625617
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
https://www.ibm.com/blogs/psirt/oracle-java-7-security-manager-bypass-vulnerability-cve-2013-0422/
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-verbose-1896885.html
http://www.ampliasecurity.com/blog/2013/01/10/java_7_update_10_0-day_vulnerability_CVE-2013-0422/
http://www.zdnet.com/article/targeted-attack-against-uae-activist-utilizes-cve-2013-0422-drops-malwa...
http://www.welivesecurity.com/2013/01/11/java-0-day-exploit-cve-2013-0422/
http://www.cparequirements.com/2013/05/apple-facebook-and-microsoft-all-victims-of-java-cve-2013-042...
http://global.ahnlab.com/global/upload/download/documents/1401223631614158.pdf
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.
Software: Oracle Java SE
Links:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
http://rhn.redhat.com/errata/RHSA-2012-1225.html
https://www.fireeye.com/blog/threat-research/2012/08/java-zero-day-first-outbreak.html
https://www.fireeye.com/blog/threat-research/2012/08/zero-day-season-is-not-over-yet.html
https://www.alienvault.com/blogs/labs-research/new-year-new-java-zeroday
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-jav...
https://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
Improper Input Validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was exploited by BlackHole Exploit Toolkit after official patch.
The vulnerability was made public by Michael тАШmihiтАЩ Schierl.
According to Brian Krebs, the exploit was used in targeted attacks before official patch from Oracle.
Software: Oracle Java SE
Known/fameous malware:
Trojan.Maljava.
Links:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019076.html
https://www.symantec.com/connect/blogs/examination-java-vulnerability-cve-2012-1723
http://www.welivesecurity.com/2012/07/10/java-the-hutt-meets-cve-2012-1723-the-evil-empire-strikes-b...
https://threatpost.com/volume-malware-targeting-java-cve-2012-1723-flaw-spikes-080312/76878/
http://blog.crysys.hu/2012/07/on-the-cve-2012-1723-based-java-exploit-and-malware-sample/
http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/
https://wraithhacker.com/last-years-java-exploit-cve-2012-1723/
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in the TNS listener service. A remote attacker can register an existing instance or service name, use man-in-the-middle techniques and read, inject or modify transmitted data.
Successful exploitation of this vulnerability may result in unauthorized access to entire database.
Note: the vulnerability was being actively exploited.
Joxean Koret discovered this vulnerability in 2008 and publicly disclosed in 2012.
The vulnerability was used in "TNS Listener Poison Attack"
Software: Oracle Database Server
Links:
http://seclists.org/fulldisclosure/2012/Apr/343
http://thetechnologygeek.org/oracle-zero-day-vulnerability-still-not-patched/
https://blogs.oracle.com/security/entry/security_alert_for_cve_2012
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
https://lists.opensuse.org/opensuse-security-announce/2012-06/msg00018.html
http://www.informationsecuritybuzz.com/articles/oracle-tns-listener-poison-attack/
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-0-day-tns-listener-poison-at...
https://support.symantec.com/en_US/article.TECH219444.html
https://blog.qualys.com/laws-of-vulnerabilities/2012/05/01/oracle-adresses-0-day-tns-poison
http://pfierens.blogspot.com/2014/10/cve-2012-1675-listener-poisoning.html
http://searchsecurity.techtarget.com/tip/Using-the-network-to-prevent-an-Oracle-TNS-Listener-poison-...
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was disclosed by James Forsha.
Exploited by Wild Neutron.
Software: Oracle Java SE
Known/fameous malware:
Exploit.Java.CVE-2012-3213.b.
Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.According to Trend Micro, this is a zero-day .The vulnerability was discovered by Michael Schierl.
Software: Oracle Java SE
Known/fameous malware:
Exploit:Java/CVE-2011-3544.
Links:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://blog.trendmicro.com/trendlabs-security-intelligence/2011-in-review-exploits-and-vulnerabiliti...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24700
http://repairinfectedpc.com/Exploit-Java-CVE-2011-3544-Removal/
https://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/#more-13070
https://krebsonsecurity.com/2011/11/public-java-exploit-amps-up-threat-level/#more-12679
https://www.cnet.com/forums/discussions/exploit-java-cve-2011-3544-583664/
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing URL to a Java Networking Launching Protocol (.jnlp) file. A remote attacker can create a specially crafted link, trick the victim into clicking on it and execute arbitrary commands on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy.
The vulnerability was used in Willysy attack. Users who visit the songlyrics.dot.com website were redirected to Russian attack server.
Software: Oracle Java SE
Links:
https://www.sans.org/newsletters/newsbites/xii/30
http://www.computerworld.com/article/2517237/security0/hackers-exploit-new-java-zero-day-bug.html
http://www.theregister.co.uk/2010/04/15/emergency_java_patch/
http://www.oracle.com/technetwork/java/javase/6u20-142805.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-0886-094541.html
https://www.sans.org/newsletters/newsbites/xii/32
https://access.redhat.com/security/cve/cve-2010-0886
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=50263
http://www.javaworld.com/article/2073334/java--oracle-security-alert-cve-2010-0886.html
https://www.stopthehacker.com/2011/12/01/willysy-injection-attacks/